Side effects: • Can be used to execute malicious code • Downloads a malicious file

Files

It copies itself to the following location: • %userprofile%\Start Menu\Programs\Startup\lsass.exe

It tries to download a file:

– The location is the following: • www4.0**********0.com/2013/08/25/19/5**********.png It is saved on the local hard drive under: %userprofile%\Application Data\0003CB21.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Crypt.ZPACK.Gen8

Internet connection: In order to check for its internet connection the following DNS server is contacted: • www.**********25.com/ Accesses internet resources: • vcx.a**********k.com/PoM.php • www4.0**********0.com/2013/08/25/19/541584649.png